e31d56289c1957053630383ff71959cba08521874410bd78e46680788490e9cd

Resubmissions

02-12-2024 02:16

241202-cqmawszjeq 10

02-12-2024 02:12

241202-cncnnstqcv 10

30-11-2024 13:53

241130-q7gnmavrdw 10

Analysis

max time kernel
142s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
Size

663KB
MD5

7df4d51141b1c657e2c5f78ada3b526a
SHA1

d0bbec49bbf722aa102e3cbd548cfec5f88dd6a8
SHA256

f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca
SHA512

fed221cf7f27d3e74023457c58e903e55aa14a608db36df341e8bef2b2cb751ca1fb90da1e6a091ed0fbab70347e67365398c1af51815bec1da0ff330e35b54a
SSDEEP

12288:UIj+Lg10Vgi+ve+Ge5JFzLZQMDObpph0lhSMXl+XXenm1hdLQ:Uc+k18+ve+Ge53LuMKHh0lhSMXlYei

Score

10^/10

defense_evasion discovery evasion execution impact ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\READ_NOTE.html

Ransom Note

<div class="tabs1"> <div class="head">Your personal ID:</div> <div class="identi">kkwstpsxHTybqfiDLR0UfwRDz81WdkpLqmyyGXvmIWNDLVR2nGuYD3qORBoVKASaz1Cj5a9ewJ54TO8I9QmMKUQI6gOgnq3vABoMHDx065f51uLYIui9gewUyaf9030Cq7UYH7smBFf/avHsrL2N3P5tMiaF6k2oyHsi81D0IzllS3EXi+z1/9StCRL4aQ11ajyaAR2Fd+VMMcNDsQ71N2og9KxlEaarS+7sS6e+3Q5/jr264E6QKRElw1j/Ig3ofm/4ljuSQWJx3JNjQuOSPHvXBaYD6/VYqV1Mvf+4V4+ZjMmvZ31eEjlqgUUXDtgHNOwjzm+68JwdBOot1EkrDQ==� </div> </div>  <div class="tabs"> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> /!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\ All your important files have been encrypted! <hr />Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. When you compose a letter, please indicate the PERSONAL ID from the beginning of the note, so that we can more specifically approach the formation of conditions for you. <hr />Contact us for price and get decryption software. <hr />email: <a href="[email protected]">[email protected] </a> <a href="[email protected]">[email protected] </a> OUR TOX: <a href="https://tox.chat/clients.html"> BA3779BDEE7B982BF08FC0B7B0410E6AE7CC6612B13433B60000E0757BDD682A69AD98563AEC</a> * To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. </a> *Our site and Tor-chat to always be in touch: </div> </div> </div>  xfycpauc22t5jsmfjcaz2oydrrrfy75zuk6chr32664bsscq4fgyaaqd.onion  </div>

Emails

href="[email protected]">[email protected]

URLs

http://xfycpauc22t5jsmfjcaz2oydrrrfy75zuk6chr32664bsscq4fgyaaqd.onion

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2596 created 1200	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	21

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2512	bcdedit.exe

Renames multiple (5711) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2568	wbadmin.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\U:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\W:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\E:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\I:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\P:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\X:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\N:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\T:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\W:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\J:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\L:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\Q:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\J:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\M:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\B:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\R:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\F:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\A:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\R:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\V:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\Y:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\V:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\B:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\I:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\K:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\X:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\L:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\H:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\G:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\H:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\K:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\Q:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\N:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\O:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\P:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\O:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\Z:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\S:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\U:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\Y:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\E:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\G:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\S:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\T:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened (read-only)	\??\Z:	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org
9	api.ipify.org

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "\\\\?\\C:\\Users\\Admin\\AppData\\Local\\Temp\\output.bmp"	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21348_.GIF	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHKEY.DAT	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote.gpd	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\flyout.css	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\navBack.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\PYCC.pf	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Opulent.thmx	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\wmpnetwk.exe.mui	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DOTS.POC	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_bezel.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107316.WMF	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297759.WMF	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18180_.WMF	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\settings.js	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe.sig	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\THMBNAIL.PNG	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Sybase.xsl	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200189.WMF	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\XLSLICER.DLL.IDX_DLL	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\sbdrop.dll.mui	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\ZoneInfoMappings	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\wmpnssci.dll.mui	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\WMPSideShowGadget.exe.mui	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\4.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21334_.GIF	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\Mozilla Firefox\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\JSByteCodeWin.bin	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXPTOOWS.XLA	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00141_.WMF	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215718.WMF	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSWAVY.WMF	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART7.BDR	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\29.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-templates.jar	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File created	C:\Program Files\MSBuild\Microsoft\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\currency.css	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Module.eftx	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL082.XML	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jni.h	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_ja.jar	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad.png	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File created	C:\Windows\READ_NOTE.html	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Windows\bootstat.dat	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Windows\Starter.xml	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\mib.bin	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Windows\Ultimate.xml	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
File opened for modification	C:\Windows\WMSysPr9.prx	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2936	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2560	WMIC.exe
Token: SeSecurityPrivilege	2560	WMIC.exe
Token: SeTakeOwnershipPrivilege	2560	WMIC.exe
Token: SeLoadDriverPrivilege	2560	WMIC.exe
Token: SeSystemProfilePrivilege	2560	WMIC.exe
Token: SeSystemtimePrivilege	2560	WMIC.exe
Token: SeProfSingleProcessPrivilege	2560	WMIC.exe
Token: SeIncBasePriorityPrivilege	2560	WMIC.exe
Token: SeCreatePagefilePrivilege	2560	WMIC.exe
Token: SeBackupPrivilege	2560	WMIC.exe
Token: SeRestorePrivilege	2560	WMIC.exe
Token: SeShutdownPrivilege	2560	WMIC.exe
Token: SeDebugPrivilege	2560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2560	WMIC.exe
Token: SeRemoteShutdownPrivilege	2560	WMIC.exe
Token: SeUndockPrivilege	2560	WMIC.exe
Token: SeManageVolumePrivilege	2560	WMIC.exe
Token: 33	2560	WMIC.exe
Token: 34	2560	WMIC.exe
Token: 35	2560	WMIC.exe
Token: SeBackupPrivilege	1936	vssvc.exe
Token: SeRestorePrivilege	1936	vssvc.exe
Token: SeAuditPrivilege	1936	vssvc.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2776	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	32
PID 2596 wrote to memory of 2776	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	32
PID 2596 wrote to memory of 2776	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	32
PID 2596 wrote to memory of 2776	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	32
PID 2596 wrote to memory of 2708	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	33
PID 2596 wrote to memory of 2708	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	33
PID 2596 wrote to memory of 2708	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	33
PID 2596 wrote to memory of 2708	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	33
PID 2596 wrote to memory of 2668	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	34
PID 2596 wrote to memory of 2668	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	34
PID 2596 wrote to memory of 2668	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	34
PID 2596 wrote to memory of 2668	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	34
PID 2596 wrote to memory of 2624	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	35
PID 2596 wrote to memory of 2624	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	35
PID 2596 wrote to memory of 2624	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	35
PID 2596 wrote to memory of 2624	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	35
PID 2776 wrote to memory of 1948	2776	cmd.exe	36
PID 2776 wrote to memory of 1948	2776	cmd.exe	36
PID 2776 wrote to memory of 1948	2776	cmd.exe	36
PID 2776 wrote to memory of 1948	2776	cmd.exe	36
PID 2668 wrote to memory of 2620	2668	cmd.exe	37
PID 2668 wrote to memory of 2620	2668	cmd.exe	37
PID 2668 wrote to memory of 2620	2668	cmd.exe	37
PID 2668 wrote to memory of 2620	2668	cmd.exe	37
PID 2596 wrote to memory of 2648	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	38
PID 2596 wrote to memory of 2648	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	38
PID 2596 wrote to memory of 2648	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	38
PID 1948 wrote to memory of 2936	1948	cmd.exe	40
PID 1948 wrote to memory of 2936	1948	cmd.exe	40
PID 1948 wrote to memory of 2936	1948	cmd.exe	40
PID 2708 wrote to memory of 2796	2708	cmd.exe	41
PID 2708 wrote to memory of 2796	2708	cmd.exe	41
PID 2708 wrote to memory of 2796	2708	cmd.exe	41
PID 2708 wrote to memory of 2796	2708	cmd.exe	41
PID 2624 wrote to memory of 2164	2624	cmd.exe	42
PID 2624 wrote to memory of 2164	2624	cmd.exe	42
PID 2624 wrote to memory of 2164	2624	cmd.exe	42
PID 2624 wrote to memory of 2164	2624	cmd.exe	42
PID 2620 wrote to memory of 2560	2620	cmd.exe	43
PID 2620 wrote to memory of 2560	2620	cmd.exe	43
PID 2620 wrote to memory of 2560	2620	cmd.exe	43
PID 2796 wrote to memory of 2568	2796	cmd.exe	44
PID 2796 wrote to memory of 2568	2796	cmd.exe	44
PID 2796 wrote to memory of 2568	2796	cmd.exe	44
PID 2164 wrote to memory of 2512	2164	cmd.exe	45
PID 2164 wrote to memory of 2512	2164	cmd.exe	45
PID 2164 wrote to memory of 2512	2164	cmd.exe	45
PID 2648 wrote to memory of 1460	2648	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	48
PID 2648 wrote to memory of 1460	2648	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	48
PID 2648 wrote to memory of 1460	2648	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	48
PID 2596 wrote to memory of 1656	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	52
PID 2596 wrote to memory of 1656	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	52
PID 2596 wrote to memory of 1656	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	52
PID 2596 wrote to memory of 836	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	51
PID 2596 wrote to memory of 836	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	51
PID 2596 wrote to memory of 836	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	51
PID 2596 wrote to memory of 1608	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	53
PID 2596 wrote to memory of 1608	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	53
PID 2596 wrote to memory of 1608	2596	f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe	53

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
  "C:\Users\Admin\AppData\Local\Temp\f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1948
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        Drops file in Windows directory
        
        PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2164
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2512
- - C:\Windows\system32\cipher.exe
    cipher /w:\\?\A:
    3⤵
    - Enumerates connected drives
    PID:836
- - C:\Windows\system32\cipher.exe
    cipher /w:\\?\C:
    3⤵
    PID:1656
- - C:\Windows\system32\cipher.exe
    cipher /w:\\?\F:
    3⤵
    - Enumerates connected drives
    PID:1608
- C:\Users\Admin\AppData\Local\Temp\f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca.exe -network -skip_misc
  2⤵
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:1460

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\READ_NOTE.html

Filesize
3KB

MD5
af8aa9a26c08ebcb4acf733f68b6ef52

SHA1
b0e03418e6e494b8acf58c2f195e7278b95a6a8e

SHA256
8249e68e742241ffb2da9cdd731564de4f6453614a9dc33203ccae51f5c2b953

SHA512
d6c6dd4b60c82a55e64f1ef784a750ac56d06f2ad7e9c7e25124b9e6ebed655fed078f41cefa651161b8f9d6a53f3e3489cecd27d5cc13560ba2caeee8fb9114

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
090359b61aaf20571a6cbd803eb95379

SHA1
552047f322817a159878e0116ba7caf5900e0bda

SHA256
2c6a9d19957fab38591bbb677ed90860ba6ddaaa8301263c90387dca23cac6ad

SHA512
e63691a9ae8763d7a5bbc850e497d2c7c5750ea172ab85734c764e61bf9f795b64f437db6b2fb4ad837b2274b777243aacc33d79439906659706998700c13d8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
8dc5102bafd89c832c93256c375e56b1

SHA1
8119cb12c0d3d3301363cdcb86a7e1ad6afefbcd

SHA256
21134a9073649bea97937ca38ce9a84f6280c2d9d7e1a3b5ec1fb6b3f0bd7bf0

SHA512
d877918cdc585538c45c23a524fc5b7e3a21821459e237c5d72c552edd21ec2d5dce46320add088d7936d7c077666c768dde7ffea9941dba9b5c6f7e7700a12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCA70.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\external_ip.wehavesolution247

Filesize
14B

MD5
2c807857a435aa8554d595bd14ed35d1

SHA1
9003a73beceab3d1b1cd65614347c33117041a95

SHA256
3c4fae56f61b7cdf09709c2aaf65ca47d3bf9077b1e5eb0eb1e6c5c34923eb9b

SHA512
95c6fa9f5b342ef34d896f083700ee12d55723e24aff42805bac5c1aa73f07d0db4f9d435d31a61da187edc2336252dfb38529b3f2b1d2039aa2a8e65d64a7a9

Download Submit